Vous êtes sur la page 1sur 12

Packet Leashes: A Defense against

Wormhole Attacks in Wireless Networks

Yih-Chun Hu Adrian Perrig David B. Johnson
Carnegie Mellon University Carnegie Mellon University Rice University
yihchun@cs.cmu.edu perrig@cmu.edu dbj@cs.rice.edu

Abstract— As mobile ad hoc network applications are de- rapid deployment and low cost of operation, since the nodes
ployed, security emerges as a central requirement. In this paper, and wireless hardware are inexpensive and readily available,
we introduce the wormhole attack, a severe attack in ad hoc and since the network is automatically self-configuring and
networks that is particularly challenging to defend against.
The wormhole attack is possible even if the attacker has not self-maintaining. However, wireless networks are vulnerable
compromised any hosts, and even if all communication provides to several attacks. In most wireless networks, an attacker can
authenticity and confidentiality. In the wormhole attack, an easily inject bogus packets, impersonating another sender. We
attacker records packets (or bits) at one location in the network, refer to this attack as a spoofing attack. An attacker can
tunnels them (possibly selectively) to another location, and also easily eavesdrop on communication, record packets, and
retransmits them there into the network. The wormhole attack
can form a serious threat in wireless networks, especially against replay the (potentially altered) packets.
many ad hoc network routing protocols and location-based In this paper, we define a particularly challenging attack
wireless security systems. For example, most existing ad hoc to defend against, which we call a wormhole attack, and
network routing protocols, without some mechanism to defend we present a new, general mechanism for detecting and thus
against the wormhole attack, would be unable to find routes defending against wormhole attacks. In this attack, an attacker
longer than one or two hops, severely disrupting communication.
We present a new, general mechanism, called packet leashes, for records a packet, or individual bits from a packet, at one loca-
detecting and thus defending against wormhole attacks, and we tion in the network, tunnels the packet (possibly selectively) to
present a specific protocol, called TIK, that implements leashes. another location, and replays it there. The wormhole attack can
form a serious threat in wireless networks, especially against
I. I NTRODUCTION many ad hoc network routing protocols and location-based
wireless security systems. The wormhole places the attacker
The promise of mobile ad hoc networks to solve challeng-
in a very powerful position, able for example to further exploit
ing real-world problems continues to attract attention from
any of the attacks mentioned above, allowing the attacker to
industrial and academic research projects. Applications are
gain unauthorized access, disrupt routing, or perform a Denial-
emerging and widespread adoption is on the horizon. Most
of-Service (DoS) attack. We introduce the general mechanism
previous ad hoc networking research has focused on prob-
of packet leashes to detect wormhole attacks, and we present
lems such as routing and communication, assuming a trusted
two types of leashes: geographic leashes and temporal leashes.
environment. However, many applications run in untrusted
Finally, we design an efficient authentication protocol, called
environments and require secure communication and routing.
TIK, for use with temporal leashes. We focus our discussion
Applications that may require secure communications include
in this paper on wireless ad hoc networks, but our results are
emergency response operations, military or police networks,
applicable more broadly to other types of networks, such as
and safety-critical business operations such as oil drilling
wireless LANs and cellular networks.
platforms or mining operations. For example, in emergency
Section II of this paper presents the wormhole attack and
response operations such as after a natural disaster like a flood,
discusses how the wormhole attack can be used against ad hoc
tornado, hurricane, or earthquake, ad hoc networks could be
network routing protocols. In Section III, we present our as-
used for real-time safety feedback; regular communication
sumptions. Section IV presents leashes and discusses a general
networks may be damaged, so emergency rescue teams might
approach for detecting wormholes. Section V discusses tempo-
rely upon ad hoc networks for communication.
ral leashes in detail and presents the TIK protocol for instant
Ad hoc networks generally use a wireless radio commu-
wireless broadcast authentication, and Section VI provides an
nication channel. The main advantages of such networks are evaluation of TIK and packet leashes. Section VII discusses
related work, and Section VIII presents our conclusions.
This work was supported in part by NSF under grant CCR-0209204,
by NASA under grant NAG3-2534, and by gifts from Schlumberger and
Bosch. The views and conclusions contained here are those of the authors II. P ROBLEM S TATEMENT
and should not be interpreted as necessarily representing the official policies In a wormhole attack, an attacker receives packets at one
or endorsements, either express or implied, of NSF, NASA, Schlumberger,
Bosch, Rice University, Carnegie Mellon University, or the U.S. Government point in the network, “tunnels” them to another point in the
or any of its agencies. network, and then replays them into the network from that
point. For tunneled distances longer than the normal wireless The neighbor discovery mechanisms of periodic (proac-
transmission range of a single hop, it is simple for the attacker tive) routing protocols such as DSDV [32], OLSR [38], and
to make the tunneled packet arrive sooner than other packets TBRPF [5] rely heavily on the reception of broadcast packets
transmitted over a normal multihop route, for example through as a means for neighbor detection, and are also extremely
use of a single long-range directional wireless link or through vulnerable to this attack. For example, OLSR and TBRPF use
a direct wired link to a colluding attacker. It is also possible H ELLO packets for neighbor detection, so if an attacker tunnels
for the attacker to forward each bit over the wormhole directly, through a wormhole to a colluding attacker near node B all
without waiting for an entire packet to be received before H ELLO packets transmitted by node A, and likewise tunnels
beginning to tunnel the bits of the packet, in order to minimize back to the first attacker all H ELLO packets transmitted by
delay introduced by the wormhole. Due to the nature of B, then A and B will believe that they are neighbors, which
wireless transmission, the attacker can create a wormhole even would cause the routing protocol to fail to find routes when
for packets not addressed to itself, since it can overhear them in they are not actually neighbors.
wireless transmission and tunnel them to the colluding attacker For DSDV, if each routing advertisement sent by node A or
at the opposite end of the wormhole. node B were tunneled through a wormhole between colluding
If the attacker performs this tunneling honestly and reliably, attackers near these nodes, as described above, then A and B
no harm is done; the attacker actually provides a useful would believe that they were neighbors. If A and B, however,
service in connecting the network more efficiently. However, were not within wireless transmission range of each other,
the wormhole puts the attacker in a very powerful position they would be unable to communicate. Furthermore, if the
relative to other nodes in the network, and the attacker could best existing route from A to B were at least 2n + 2 hops
exploit this position in a variety of ways. The attack can also long, then any node within n hops of A would be unable
still be performed even if the network communication provides to communicate with B, and any node within n hops of B
confidentiality and authenticity, and even if the attacker has would be unable to communicate with A. Otherwise, suppose
no cryptographic keys. Furthermore, the attacker is invisible C were within n hops of A, but had a valid route to B. Since
at higher layers; unlike a malicious node in a routing protocol, A advertises a metric of 1 route to B, C would hear a metric
which can often easily be named, the presence of the wormhole n + 1 route to B. C will use that route if it is not within n + 1
and the two colluding attackers at either endpoint of the hops of B, in which case there would be an n-hop route from
wormhole are not visible in the route. As such, the effect A to C, and a route of length n+1 from C to B, contradicting
of the wormhole on legitimate nodes may even change as the premise that the best real route from A to B is at least
nodes move; two legitimate nodes previously connected only 2n + 2 hops long.
by routes through the wormhole and thus possibly unable to The wormhole attack is also dangerous in other types of
communicate, will be able to communicate normally if they wireless networks and applications. One example is any wire-
come within direct wireless transmission range of each other. less access control system that is based on physical proximity,
The wormhole attack is particularly dangerous against many such as wireless car keys, or proximity and token based access
ad hoc network routing protocols in which the nodes that control systems for PCs [11, 24]. In such systems, an attacker
hear a packet transmission directly from some node consider could relay the authentication exchanges to gain unauthorized
themselves to be in range of (and thus a neighbor of) that access.
node. For example, when used against an on-demand routing One partial approach for preventing wormhole attacks might
protocol such as DSR [21] or AODV [33], a powerful appli- be to use a secret method for modulating bits over wireless
cation of the wormhole attack can be mounted by tunneling transmissions; once a node is compromised, however, this
each ROUTE R EQUEST packet directly to the destination target approach is likely to fail unless the radio is kept inside
node of the R EQUEST. When the destination node’s neighbors tamper-resistant hardware. Another approach, known as RF
hear this R EQUEST packet, they will follow normal routing watermarking, authenticates a wireless transmission by mod-
protocol processing to rebroadcast that copy of the R EQUEST ulating the RF waveform in a way known only to autho-
and then discard without processing all other received ROUTE rized nodes [12]. RF watermarking relies on keeping secret
R EQUEST packets originating from this same Route Discovery. the knowledge of which RF waveform parameters are being
This attack thus prevents any routes other than through the modulated; furthermore, if that waveform is exactly captured
wormhole from being discovered, and if the attacker is near at the receiving end of the wormhole and exactly replicated
the initiator of the Route Discovery, this attack can even at the transmitting end of the wormhole, the signal level of
prevent routes more than two hops long from being discovered. the resulting watermark is independent of the distance it was
Possible ways for the attacker to then exploit the wormhole tunneled. As a result, the watermark may still be intact, even
include discarding rather than forwarding all data packets, though the packet was made to travel beyond the normal wire-
thereby creating a permanent Denial-of-Service attack (no less transmission range. Although intrusion detection could
other route to the destination can be discovered as long as be used in some cases to detect a wormhole attacker, it is
the attacker maintains the wormhole for ROUTE R EQUEST generally difficult to isolate the attacker in a software-only
packets), or selectively discarding or modifying certain data approach, since the packets sent by the wormhole are identical
packets. to the packets sent by legitimate nodes. In contrast to these
approaches, the approach we present in this paper, called distributed for use in TIK. Zhou and Haas [46] propose such
packet leashes, and the specific protocol we present, called a public key infrastructure; Hubaux, Buttyán, and Čapkun
TIK, provide a general solution that does not suffer from these bootstrap trust relationships from PGP-like certificates without
problems. relying on a trusted public key infrastructure [19]; Kong
et al [25] propose asymmetric mechanisms for threshold signa-
III. A SSUMPTIONS AND N OTATION tures for certificates. Alternatively, a trusted node can securely
The acronym “MAC” may in general stand for “Medium distribute an authenticated TIK key using only symmetric-key
Access Control” protocol or “Message Authentication Code.” cryptography [35] or non-cryptographic approaches [42].
To avoid confusion, we use “MAC” in this paper to refer to
the network Medium Access Control protocol at the link layer, IV. D ETECTING W ORMHOLE ATTACKS
and we use “HMAC” to refer to a message authentication code
In this section, we introduce the notion of a packet leash as
used for authentication (HMAC is a particular instance of a
a general mechanism for detecting and thus defending against
message authentication code [4]).
wormhole attacks. A leash is any information that is added to
For reasons such as differences in wireless interference,
a packet designed to restrict the packet’s maximum allowed
transmit power, or antenna operation, links between nodes in a
transmission distance. We distinguish between geographical
wireless network may at times successfully work in only one
leashes and temporal leashes. A geographical leash ensures
direction; such a unidirectional wireless link between between
that the recipient of the packet is within a certain distance
two nodes A and B might allow A to send packets to B
from the sender. A temporal leash ensures that the packet has
but not for B to send packets to A. In many cases, however,
an upper bound on its lifetime, which restricts the maximum
wireless links are able to operate as bidirectional links. A
travel distance, since the packet can travel at most at the speed
MAC protocol generally is designed to support operation
of light. Either type of leash can prevent the wormhole attack,
over unidirectional links or is designed only for bidirectional
because it allows the receiver of a packet to detect if the packet
links; the introduction of our TIK protocol does not affect the
traveled further than the leash allows.
capability of the MAC protocol to operate over unidirectional
A. Geographical Leashes
Security attacks on the wireless network’s physical layer
are beyond the scope of this paper. Spread spectrum has To construct a geographical leash, in general, each node
been studied as a mechanism for securing the physical layer must know its own location, and all nodes must have loosely
against jamming [36]. Denial-of-Service (DoS) attacks against synchronized clocks. When sending a packet, the sending node
MAC layer protocols are also beyond the scope of the paper; includes in the packet its own location, ps , and the time at
MAC layer protocols that do not employ some form of carrier which it sent the packet, ts ; when receiving a packet, the
sense, such as pure ALOHA and Slotted ALOHA [1], are receiving node compares these values to its own location, pr ,
less vulnerable to DoS attacks, although they tend to use the and the time at which it received the packet, tr . If the clocks
channel less efficiently. of the sender and receiver are synchronized to within ±∆,
We assume that the wireless network may drop, corrupt, and ν is an upper bound on the velocity of any node, then the
duplicate, or reorder packets. We also assume that the MAC receiver can compute an upper bound on the distance between
layer contains some level of redundancy to detect randomly the sender and itself, dsr . Specifically, based on the timestamp
corrupted packets; however, this mechanism is not designed ts in the packet, the local receive time tr , the maximum
to replace cryptographic authentication mechanisms. relative error in location information δ, and the locations of
We assume that nodes in the network may be resource the receiver pr and the sender ps , then dsr can be bounded by
constrained. Thus, in providing for wormhole detection, we dsr ≤ ||ps − pr || + 2ν · (tr − ts + ∆) + δ. A standard digital
use efficient symmetric cryptography, rather than relying on signature scheme or other authentication technique can be used
expensive asymmetric cryptographic operations. Especially to enable a receiver to authenticate the location and timestamp
on CPU-limited devices, symmetric cryptographic operations in the received packet. This approach is similar to [13].
(such as block ciphers and hash functions) are three to four In certain circumstances, bounding the distance between the
orders of magnitude faster than asymmetric cryptographic sender and receiver, dsr , cannot prevent wormhole attacks;
operations (such as digital signatures). for example, when obstacles prevent communication between
We assume that a node can obtain an authenticated key for two nodes that would otherwise be in transmission range, a
any other node. Like public keys in systems using asymmetric distance-based scheme would still allow wormholes between
cryptography, these keys in our protocol TIK (Section V) are the sender and receiver. A network that uses location infor-
public values (once disclosed), although TIK uses only sym- mation to create a geographical leash could control even these
metric (not asymmetric) cryptography. A traditional approach kinds of wormholes. To accomplish this, each node would have
to this authenticated key distribution problem is to build on a radio propagation model. A receiver could verify that every
a public key system for key distribution; a trusted entity can possible location of the sender (a δ + ν(tr − ts + 2∆) radius
sign public-key certificates for each node, and the nodes can around ps ) can reach every possible location of the receiver
then use their public-key to sign a new (symmetric) key being (a δ + ν(tr − ts + 2∆) radius around pr ).
B. Temporal Leashes when t is small, δ 0 (t) should be small, since the algorithm
To construct a temporal leash, in general, all nodes must a node uses to determine its location should be aware of
have tightly synchronized clocks, such that maximum differ- physical speed limits of that node. If some node claims to be at
ence between any two nodes’ clocks is ∆. The value of the locations p1 and p2 at times 0 t1 and t2 , respectively, that node
parameter ∆ must be known by all nodes in the network, is an attacker if ||p2 −p1|t||−δ (|t2 −t1 |)
2 −t1 |
> ν. A legitimate node
and for temporal leashes, generally must be on the order of detecting this from these two packets can also broadcast the
a few microseconds or even hundreds of nanoseconds. This two packets to convince other nodes that the first node is in-
level of time synchronization can be achieved now with off- deed an attacker. Each node hearing these messages can check
the-shelf hardware based on LORAN-C [30], WWVB [31], the two signatures, verify the discrepancy in the information,
or GPS [10, 44]; although such hardware is not currently a and rebroadcast the information if it has not previously done
common part of wireless network nodes, it can be deployed so. To easily perform duplicate suppression in rebroadcasting
in networks today and is expected to become more widely this information, each node can maintain a blacklist, with each
utilized in future systems at reduced expense, size, weight, entry in the blacklist containing a node address and the time
and power consumption. In addition, the time synchronization at which that blacklist entry expires. When a node receives
signal itself in such systems may be subject to certain at- a message showing an attacker’s behavior, it checks if that
tacks [6, 14]. Esoteric hardware such as cesium-beam clocks, attacker is already listed in its blacklist. If so, it updates the
rubidium clocks, and hydrogen maser clocks, could also be expiration time on its current blacklist entry and discards the
used in special applications today to provide sufficiently ac- new message; otherwise, it adds a new blacklist entry and
curate time synchronization for months. Although our general propagates the message.
requirement for time synchronization is indeed a restriction A potential problem with leashes using a timestamp in the
on the applicability of temporal leashes, for applications that packet is that in a contention-based MAC protocol, the sender
require defense against the wormhole attack, this requirement may not know the precise time at which it will transmit a
is justified due to the seriousness of the attack and its potential packet it is sending. For example, a sender using the IEEE
disruption of the intended functioning of the network. 802.11 MAC protocol may not know the time a packet will
To use temporal leashes, when sending a packet, the sending be transmitted until approximately one slot time (20 µs) prior
node includes in the packet the time at which it sent the packet, to transmission. Generating an inefficient digital signature,
ts ; when receiving a packet, the receiving node compares this such as RSA with a 1024-bit key, could take three orders
value to the time at which it received the packet, tr . The of magnitude more time than this slot time (on the order
receiver is thus able to detect if the packet traveled too far, of 10 ms). The sender, however, can use two approaches
based on the claimed transmission time and the speed of light. to hide this signature generation latency: either increase the
Alternatively, a temporal leash can be constructed by instead minimum transmission unit to allow computation to overlap
including in the packet an expiration time, after which the with transmission, or use a more efficient signature scheme,
receiver should not accept the packet; based on the allowed such as Schnorr’s signature [40], which enables efficient
maximum transmission distance and the speed of light, the signature generation after pre-processing.
sender sets this expiration time in the packet as an offset from
the time at which it sends the packet. As with a geographical
leash, a regular digital signature scheme or other authentication In this section, we discuss temporal leashes in more detail
technique can be used to allow a receiver to authenticate a and present the design and operation of our TIK protocol that
timestamp or expiration time in the received packet. implements temporal leashes.

C. Discussion A. Temporal Leash Construction Details

An advantage of geographical leashes over temporal leashes We now discuss temporal leashes that are implemented with
is that the time synchronization can be much looser. Another a packet expiration time. We consider a sender who wants to
advantage of using geographical leashes in conjunction with a send a packet with a temporal leash, preventing the packet
signature scheme (i.e., a signature providing non-repudiation), from traveling further than distance L. (All nodes are time
is that an attacker can be caught if it pretends to reside synchronized up to a maximum time synchronization error ∆.)
at multiple locations. This use of non-repudiation was also Thus, L > Lmin = ∆ · c, where c is the propagation speed
proposed by Sirois and Kent [41]. When a legitimate node of our wireless signal (i.e., the speed of light in air, which is
overhears the attacker claiming to be in different locations very close to the speed of light in a vacuum). When the sender
that would only be possible if the attacker could travel at a sends the packet at local time ts , it needs to set the packet
velocity above the maximum node velocity ν, the legitimate expiration time to te = ts + L/c − ∆. When the receiver
node can use the signed locations to convince other legitimate receives the packet at local time tr , it further processes the
nodes that the attacker is malicious. packet if the temporal leash has not expired (i.e., tr < te );
We define δ 0 (t) to be a bound on the maximum relative otherwise it drops the packet. This assumes that the packet
position error when any node determines its own location twice sending and receiving delay are negligible, such that the sender
within a period of time t. By definition, δ 0 (t) ≤ 2δ. In addition, can predict the precise sending time ts and the receiver can
immediately record tr when the first bit arrives (or derive tr Since many wireless applications rely heavily on broadcast
during reception since the bitrate of transmission is known). communication, and since setting up O(n2 ) keys is expensive,
The receiver needs a way to authenticate the expiration time we design the TIK protocol in Section V-C, based on a new
te , as otherwise an attacker could easily change that time and protocol for efficient broadcast authentication that simultane-
wormhole the packet as far as it desires. ously provides the functionality of a temporal leash.
In unicast communication, (point-to-point) nodes can use
message authentication codes for authentication: the sender S B. Tree-Authenticated Values
and receiver R must share a secret key K, which they use in The TIK protocol we present in Section V-C requires an
conjunction with a message authentication code function (for efficient mechanism for authenticating keys. In this section,
example HMAC [4]) to authenticate messages they exchange. we discuss the efficient hash tree authentication mechanism.
To send a message M to a receiver R, the sender S sends Authenticating a sequence of values efficiently is an impor-
S → R : hM, HMACK (M )i , tant primitive used in many security protocols. One-way hash
chains are predominantly used for this purpose. One of the first
where the notation HMACK (M ) represents the message au- uses of one-way hash chains was for one-time passwords by
thentication code computed over message M with key K. The Lamport [26], which Haller later used to design the S/KEY
packet sent from S to R contains both the intended message M one-time password system [17]. To motivate why we use a
and HMACK (M ). When R receives this message, it can verify tree structure instead of a one-way hash chain to authenticate
the authenticity of the message by comparing the received values, we briefly describe the drawbacks of a one-way chain.
HMAC value to the HMAC value that it computes for itself
1) One-way Hash Chain: Consider the chain of length w
over the received message with the secret key K it shares with
with the values C0 , . . . , Cw−1 . We can generate this chain
the sender S.
by randomly selecting the last value Cw−1 , and repeatedly
However, using message authentication codes in the stan-
applying a one-way hash function H to derive the previ-
dard way has two major drawbacks. First, in a network with
ous values: Cw−2 = H(Cw−1 ), . . . , Ci = H(Ci+1 ). The
n nodes, we would need to set up n(n−1) 2 keys, one for
beginning of the chain, C0 , serves as a commitment to the
each pair of nodes. Key setup is an expensive operation,
entire chain and allows anybody to authenticate the following
which makes this approach impractical in large networks.
values of the chain. Because the function H is one-way and
Second, this approach cannot efficiently authenticate broadcast
provides second pre-image collision resistance (also called
packets. To secure a broadcast packet, the sender would need
weak collision resistance), it is computationally intractable for
to add to the packet a separate message authentication code for
an attacker to invert H or to find another value Ci0 6= Ci ,
each receiver, making the packet extremely large (and likely
given Ci and Ci−1 , that satisfies Ci−1 = H(Ci0 ). (Menezes,
exceeding the network’s maximum packet size). The need to
van Oorschot, and Vanstone, have a more detailed discussion
include separate message authentication codes in the packet
on one-way hash functions or the second pre-image collision
could be avoided by having multiple receivers share the same
resistance property [28].)
key, but this might allow a subset of colluding receivers to
Therefore, if we know that one-way chain value Ci is
impersonate the sender [9].
authentic, and we later learn Ci+1 with the property that
Instead, attaching a digital signature to each packet could
Ci = H(Ci+1 ), we know that value Ci+1 is authentic and
be used to solve the two problems discussed above: each
is the value that follows Ci on the chain. More generally,
node needs to have only one public-private key pair, and each
we can verify Cj given the authentic value Ci by checking
node needs to know only the public key of every other node.
that Ci = H j−i (Cj ), with j > i. Values from a one-way
Thus, only n public keys need to be distributed in a network
hash chain are very efficient to verify if we verify the values
with n nodes. Furthermore, a digital signature provides non-
in sequence. However, for the TIK protocol we present in
repudiation and authentication for broadcast packets in the
Section V-C, we would use the values very sparsely. Even
same way as for unicast packets.
though the one-way hash function is very efficient to compute,
However, digital signatures have several drawbacks. First,
this computation would still require a substantial verification
digital signatures are usually based on computationally expen-
overhead — we thus use a tree structure for more efficient
sive asymmetric cryptography. For example, the popular 1024-
authentication of values.
bit RSA digital signature algorithm [39], roughly equivalent to
use of a 72-bit key in a symmetric encryption algorithm [27], 2) Hash Tree: To authenticate the sequence of values
requires about 10 ms on an 800 MHz Pentium III processor for v0 , v1 , . . . , vw−1 , we place these values at the leaf nodes of a
signature generation. Signature verification is more efficient, binary tree. (For simplicity, we assume a balanced binary tree,
but still requires about 0.5 ms on a fast workstation. Adding a so w is a power of 2.) We first “blind” all the values with
digital signature to each packet is computationally expensive a one-way hash function H to prevent disclosing additional
for the verifier (receiver), but overwhelmingly expensive for values (as we will describe below), so vi0 = H(vi ) for
the signer (sender). On less powerful CPUs, each digital each i. We then use the Merkle hash tree construction [29]
signature generation and verification takes on the order of to commit to the values v00 , . . . , vw−1
. Each internal node of
seconds [8]. the binary tree is derived from its two child nodes. Consider
m07 entire tree, and let d be the depth of the part of the tree that
is recomputed on demand. The initial computation of the tree
m03 m47
requires 2D−1 evaluations of the PRF, and 2D − 1 evaluations
of the hash function. This initial computation can be done
offline and is not time-critical. To choose d, we consider the
m01 m23 m45 m67
value of d that minimizes the total storage needed for the tree.
Since total storage is given by 2D−d+1 −1+2·(2d −1), storage
v00 v10 v20 v30 v40 v50 v60 v70 for the tree is minimized when

2D−d+1 − 1 + 2d+1 − 2

= 0
v0 v1 v2 v3 v4 v5 v6 v7 ∂d
(− ln 2)2D−d+1 + (ln 2)2d+1 = 0
Fig. 1. Merkle hash tree 2d+1 = 2D−d+1
d+1 = D−d+1 .
the derivation of the parent node mp from the left and right
child nodes, ml and mr , respectively: mp = H(ml || mr ). The optimal choice for d is D 2 , and the total storage require-
ment for the tree is 2d 2 e+1 + p2b 2 c+1 − 3. This represents a
We compute each level of the tree recursively, from the leaf
nodes to the root node. Figure 1 shows this construction over storage requirement of just O( t/I). For example, a tree of
the eight values v0 , v1 , . . . , v7 , with m01 = H(v00 || v10 ), depth 34 requires only 2.5 megabytes to store, much smaller
m03 = H(m01 || m23 ), and so on. than the full tree size of 170 gigabytes; once the tree is
The root value of the tree is used to authenticate all leaf generated, it can be used at a cost of 3 operations per time
values. To authenticate a value vi , the sender discloses i, vi , interval.
and all values necessary to verify the path up to the root of A similar approach can be taken for the generation of future
the tree. For example, if a sender wants to authenticate key v2 hash trees. That is, once a single hash tree has been generated,
in Figure 1, it includes the values v30 , m01 , m47 in the packet. each future hash tree can be generated while the current one
A receiver with an authentic root value m07 can then verify is used, for a cost of 3 hash functions per time interval plus
total storage space for the tree of 2d 2 e+1 + 2b 2 c+1 − 2.
Only the root of each new tree needs to be distributed, and as
H H m01 || H [ H[ v2 ] || v30 ] || m47
mentioned in Section III, these values can be distributed us-
ing only symmetric-key cryptography [35], non-cryptographic
equals the stored m07 . If the verification is successful, the
approaches [42], or by sending them using the current hash
receiver knows that v2 is authentic.
tree for authentication.
The extra v00 , v10 , . . . , v70 in Figure 1 are added to the tree
to avoid disclosing (in this example) the value v3 in order to
authenticate v2 . C. TIK Protocol Description
3) Hash Tree Optimization: In TIK, the depth of the hash Our TIK protocol implements temporal leashes and provides
tree can be quite large: given a fixed time interval I, the tree is efficient instant authentication for broadcast communication
of depth dlog2 (t/I)e, where t is the amount of time between in wireless networks. TIK stands for TESLA with Instant
rekeying. For example, if the time interval is 11.5 µs and nodes Key disclosure, and is an extension of the TESLA broadcast
can be rekeyed once per day, then the tree is of depth 34. As authentication protocol [34]. We contribute the novel observa-
a result, storing the entire tree is impractical. tion that a receiver can verify the TESLA security condition
It is possible, however, to store only the upper layers of (that the corresponding key has not yet been disclosed) as
the tree and to recompute the lower layers on demand. To it receives the packet (explained below); this fact allows the
reconstruct a tree of depth d requires 2d−1 applications of sender to disclose the key in the same packet, thus motivating
the pseudo-random function (PRF) and 2d − 1 applications of the protocol name “TESLA with Instant Key disclosure.”
the hash function, but this technique saves a factor of 2d−1 TIK implements a temporal leash and thus enables the
in storage. This technique can also be further improved by receiver to detect a wormhole attack. TIK is based on efficient
amortizing this calculation. Specifically, a node keeps two trees symmetric cryptographic primitives (a message authentication
of depth d: one that is fully computed and currently being used, code is a symmetric cryptographic primitive). TIK requires
and one that is being filled in. Since a total of 2d−1 + 2d − 1 accurate time synchronization between all communicating
operations are required to fill in the tree, and the full tree will parties, and requires each communicating node to know just
be used for 2d−1 time intervals, the node needs to perform one public value for each sender node, thus enabling scalable
only 3 operations per time interval, independent of the size of key distribution.
the tree. We now describe the different stages of the TIK protocol in
We can now compute the true calculation and storage cost detail: sender setup, receiver bootstrapping, and sending and
for the hash tree that we use in TIK. Let D be the depth of the verifying authenticated packets.
1) Sender Setup: The sender uses a pseudo-random func- packet. After the key Ki expires at time Ti , the sender then
tion (PRF [15]) F and a secret master key X to derive a discloses key Ki (and the corresponding tree authentication
series of keys K0 , K1 , . . . , Kw , where Ki = FX (i). The values); once the receiver gets the authentic key Ki , it can
main advantage of this method of key generation is that the authenticate all packets that carry a message authentication
sender can efficiently access the keys in any order. Assuming code computed with Ki . This use of delayed key disclosure
the PRF is secure, it is computationally intractable for an and time synchronization for secure broadcast authentication
attacker to find the master secret key X , even if all keys was also used by the TESLA protocol [34].
K0 , K1 , . . . , Kw−1 are known. Without the secret master key The above protocol has the drawback that message au-
X , it is computationally intractable for an attacker to derive a thentication is delayed; the receiver must wait for the key
key Ki that the sender has not yet disclosed. To construct the before it can authenticate the packet. We observe that we can
PRF function F, we can use a pseudo-random permutation, remove the authentication delay in an environment in which
i.e., a block cipher [16], or a message authentication code, the nodes are tightly time synchronized. In fact, the sender
such as HMAC [4]. can even disclose the key in the same packet that carries the
The sender selects a key expiration interval I, and thus corresponding message authentication code.
determines a schedule with which each of its keys will expire. Figure 2 shows the sending and receiving of a TIK packet.
Specifically, key K0 expires at time T0 , key K1 expires at time The figure shows the sender’s and receiver’s timelines, which
T1 = T0 + I, . . . , key Ki expires at time Ti = Ti−1 + I = may differ by a value of up to the maximum time synchro-
T0 + i · I. nization error ∆. The time ts here is the time at which the
The sender constructs the Merkle hash tree we describe sender S begins transmission of the packet, and time Ti is the
in Section V-B to commit to the keys K0 , K1 , . . . , Kw−1 . disclosure time for key Ki . The packet contains four parts: a
The root of the resulting hash tree is m0,w−1 , or simply m. message authentication code (shown as HMAC in Figure 2), a
The value m commits to all keys and is used to authenticate message payload (shown as M ), the tree authentication values
any leaf key efficiently. As we describe in Section V-B, in a necessary to authenticate Ki (shown as T ), and the key used
hash tree with log2 (w) levels, verification requires only log2 w to generate the message authentication code (shown as Ki ).
hash function computations (in the worst case, not consider- The TIK packet is transmitted by S as
ing buffering), and the authentication information consists of
S → R : hHMACKi (M ), M, T, Ki i ,
log2 w values.
where the destination R may be unicast or broadcast. After the
2) Receiver Bootstrapping: We assume that all nodes have
receiver R receives the HMAC value, it verifies that the sender
synchronized clocks with a maximum clock synchronization
did not yet start sending the corresponding key Ki , based on
error of ∆. We further assume that each receiver knows every
the time Ti and the synchronized clocks. If the sender did not
sender’s hash tree root m, and the associated parameters
yet start sending Ki , the receiver verifies that the key Ki at
T0 and I. This information is sufficient for the receiver to
the end of the packet is authentic (using the hash tree root
authenticate any packets from the sender.
m and the hash tree values T ), and then uses Ki to verify
3) Sending and Verifying Authenticated Packets: To achieve the HMAC value in the packet. If all these verifications are
secure broadcast authentication, it must not be possible for successful, the receiver accepts the packet as authentic.
a receiver to forge authentication information for a packet. The TIK protocol already provides protection against the
When the sender sends a packet P , it estimates an upper bound wormhole attack, since an attacker who retransmits the packet
tr on the arrival time of the HMAC at the receiver. Based will most likely delay it long enough that the receiver will
on this arrival time, the sender picks a key Ki that will not reject the packet because the corresponding key has already
have expired when the receiver receives the packet’s HMAC expired and the sender may have disclosed it. However, we can
(Ti > tr + ∆). The sender attaches the HMAC to the packet, also add an explicit expiration timestamp to each packet for the
computed using key Ki , and later discloses the key Ki itself, temporal leash, and use TIK as the authentication protocol. For
along with the corresponding tree authentication values (as example, each packet could include a 64-bit timestamp with
discussed in Section V-B), after the key has expired. nanosecond resolution, allowing over 580 years of use starting
Because of the time synchronization, the receiver can verify from the epoch. Since the entire packet is authenticated, the
after receiving the packet that the key Ki used to compute the timestamp is authenticated.
authentication has not yet been disclosed, since the receiver A policy could be set allowing the reception of packets for
knows the expiration time for each key and the sender only which the perceived transmission delay, i.g., the arrival time
discloses the key after it expires; thus, no attacker can know minus the sending timestamp, is less than some threshold. That
Ki , and therefore if the packet authentication verifies correctly threshold could be chosen anywhere between τ −∆ and τ +∆,
once the receiver later receives the authentic key Ki , the where the more conservative approach of τ − ∆ never allows
packet must have originated from the claimed sender. Even tunnels but rejects some valid packets, and the more liberal
another receiver could not have forged a new message with approach of τ + ∆ never rejects valid packets, but may allow
a correct message authentication code, since only the sender tunneling of up to 2c∆ past the actual normal transmission
knew the key Ki at the time tr that the receiver received the range.
PSfrag replacements HMAC M T Ki

Receiver HMAC M T Ki

Time at Sender
ts Ti

Time at Receiver
≤ (ts + τ + ∆) ≤ (Ti − ∆)

Fig. 2. Timing of a packet in transmission using TIK

With a GPS-disciplined clock [44], time synchronization to In particular, instead of having a minimum message size of
within ∆ = 183 ns with probability 1−10−10 is possible. If a r
c + 2∆ + I times the transmission data rate, where I is the
transmitter has a 250 m range, the τ − ∆ threshold accepts all duration of a time interval, the minimum message size is just
packets sent less than 140 m and some packets sent between 2∆ + I − 2tturn times the data rate, where tturn is the minimum
140 and 250 m; the τ + ∆ threshold accepts all packets sent allowed time between receiving a control frame (i.e., the RTS
less than 250 m but allows tunneling of packets up to 110 m or CTS) and returning a corresponding frame (the CTS or
beyond that distance. DATA frame, respectively). This minimum message length
includes the length of the CTS, DATA header, payload, and
D. MAC Layer Considerations hash tree values.
A TDMA MAC protocol may be able to choose the time
at which a frame begins transmission, so that the message VI. E VALUATION
authentication code is sent by time Ti − rc − 2∆. In this case,
the minimum payload length is rc + 2∆ times the bit rate of A. TIK Performance
transmission. For additional efficiency, different nodes should To evaluate the suitability of our work for use in ad hoc
have different key disclosure times, and the MAC layer should networks, we measured computational power and memory
provide each node with the MAC layer time slot it needs for currently available in mobile devices. To measure the number
authenticated delivery. of repeated hashes that can be computed per second, we
As mentioned in Section V-C, a CSMA MAC protocol may optimized the MD5 hash code from ISI [43] to achieve
not be able to control that time at which a frame is sent maximum performance for repeated hashing.
relative to the key disclosure times. In this case, the minimum Our optimized version performs 10 million hash function
payload length needs to be chosen so that a key disclosure evaluations in 7.544 s on a Pentium III running at 1 GHz,
time is guaranteed to occur somewhere during the packet’s representing a rate of 1.3 million hashes per second; the same
transmission. For example, if the network physical layer is number of hashes using this implementation on a Compaq
capable of a peak data rate of 100 Mbps and a range of 150 m, iPaq 3870 PocketPC running Linux took 45 s, representing a
and if the key disclosure interval is chosen to be 25 µs and rate of 222,000 hashes per second. Repetitive, simple functions
time synchronization is achieved to within 250 ns, then the like hashes can also be efficiently implemented in hardware;
minimum packet size must be at least 325 bytes. However, if Helion Technology [18] claims a 20k gate ASIC core design
each value in the hash tree is 80 bits long, and the depth of (a third the complexity of Bluetooth [3] and less than a third
the tree is 31, then the minimum payload size is just 15 bytes. the complexity of IEEE 802.11 [23]) capable of more than
If a MAC protocol uses a Request-to-Send/Clear-to-Send 1.9 million hashes per second and a Xilinx FPGA design using
(RTS/CTS) frame handshake, the minimum packet size can be 1650 LUTs capable of 1 million hashes per second. In terms of
reduced by carrying the message authentication code inside the memory consumption, existing handheld devices, such as the
RTS frame. In this case, the frame exchange for transmitting iPaq 3870, come equipped with 32 MB of Flash and 64 MB
a data packet would be of RAM. Modern notebooks can generally be equipped with
A → B : hRTS, HMACKi (M )i hundreds of megabytes of RAM.
B → A : hCTSi A high-end wireless LAN card such as the Proxim Harmony
A → B : hDATA, M, tree values, Ki i . 802.11a [37] has a transmission range potentially as far as
250 m and data rate as high as 108 Mbps. With time synchro- like a malicious receiver can refuse to check the authentication
nization provided by a Trimble Thunderbolt GPS-Disciplined on a packet. This may allow an attacker to tunnel a packet
Clock [44], the synchronization error can be as low as 183 ns to another attacker without detection; however, that second
with probability 1−10−10 . If authentic keys are re-established attacker cannot then retransmit the packet as if it were the
every day, with a 20-byte minimum packet size and an 80- original sender without then being detected.
bit message authentication code length, the tree has depth 33, A malicious sender can claim a false timestamp or location,
giving a minimum payload length of 350 bytes (a transmisison causing a legitimate receiver to have mistaken beliefs about
time of 25.9 µs) and a time interval of 24.7 µs. Assuming whether or not the packet was tunneled. When geographic
that the node generates each new tree while it is using its leashes are used in conjunction with digital signatures, nodes
current tree, it requires 8 megabytes of storage and needs to may be able to detect a malicious node and spread that
perform fewer than 243,000 operations per second to maintain information to other nodes, as discussed in Section IV-C.
and generate trees. To authenticate a received packet, a node However, this attack is equivalent to the malicious sender
needs to perform only 33 hash functions. To keep up with sharing its keys with the wormhole attacker, allowing the
link-speed, a node needs to verify a packet at most every sending side of the wormhole to place appropriate timestamps
25.9 µs, thus requiring 1,273,000 hashes per second, for a total or location information on any packets sent by the malicious
computational requirement of 1,516,000 hashes per second. sender that are then tunneled by the wormhole attacker.
This can be achieved today in hardware, either by placing
two MD5 units on a single FPGA, or with an ASIC. Many C. Comparison Between Geographic and Temporal Leashes
laptops today are equiped with at least 1.2 GHz Pentium III Temporal leashes have the advantage of being highly effi-
CPUs, which should also be able to perform 1.5 million hash cient, especially when used with TIK, as described in Sec-
operations per second. tion V. Geographic leashes, on the other hand, require a more
Current commodity wireless LAN products such as com- general broadcast authentication mechanism, which may result
monly used IEEE 802.11b cards [2] provide a transmission in increased computational and network overhead. Location
data rate of 11 Mbps and a range of 250 m. Given the same information also may require more bits to represent, further
time synchronization, rekeying interval, minimum packet size, increasing the network overhead.
and message authentication code length, the tree has depth 30, Geographic leashes have the advantage that they can be used
giving a minimum payload length of 320 bytes (a transmission in conjunction with a radio propagation model, thus allowing
time of 232 µs) and a time interval of 231.5 µs. Assuming that them to detect tunnels through obstacles. Furthermore, geo-
the node generates each new tree while it is using its current graphic leashes do not require the tight time synchronization
tree, it requires just 2.6 megabytes of storage and needs to that temporal leashes do. In particular, temporal leashes cannot
perform just 26,500 operations per second. To authenticate be used if the maximum range is less than c∆, where c is the
a received packet, a node needs to perform only 30 hash speed of light and ∆ is maximum clock synchronization error;
functions. Since any IP packet authenticated using TIK would geographic leashes can be used until the maximum range is
take at least 232 µs to transmit in this example, TIK can less than 2ν∆, where ν is the maximum movement speed of
authenticate packets at link-speed using just 13,000 hashes any node.
per second, for a total of 39,500 hash functions per second, To evaluate the practicality of geographic leashes, we con-
which is well within the capability of an iPaq, with 82.2% of sider a radio of range 300 m, maximum movement speed
its CPU time to spare. of 50 m/s, a relative positioning error of 3 m, and time
In a sensor network such as Hollar et al’s weC mote [22, 45], synchronization error of 1 ms. Then tr − ts ≤ 2 ms, since the
nodes may only be able to achieve time synchronization propagation time is at most 1 ms and the time synchronization
accurate to 1 s, have a 19.6 kbps link speed, and 20 m range. error is at most 1 ms. Then dsr ≤ ||ps −pr ||+100 m/s·2 ms+
In this case, the smallest packet that can be authenticated is 3 m = ||ps −pr ||+3.2 m. Since ||ps −pr || could be as much as
4900 bytes; since the weC mote does not have sufficient mem- 3 m, the effective transmission range of the network interface
ory to store this packet, TIK is unusable in such a resource- is reduced by at most 6.2 m.
scarce system. Furthermore, the level of time synchronization To compare the effectiveness of geographic leashes and
in this system is such that TIK could not provide a usable temporal leashes, we compare the distance derived using each
wormhole detection system. approach: dsr ≤ ||ps −pr ||+2ν·(tr −ts +∆)+δ for geographic
leashes and dsr ≤ c · (tr − ts + ∆) for temporal leashes. We
B. Security Analysis use dmax to denote the maximum propagation time. Then the
Packet leashes provide a way for a sender and a receiver maximum error is bounded by δ + 2ν( dmax c + 2∆) + δ =
to ensure that a wormhole attacker is not causing the signal 2δ + 4ν∆ + 2ν dmax c for geographic leashes, and by 2c∆ for
to propagate farther than the specified normal transmission temporal leashes. Geographic leashes are then more effective
distance. When geographic leashes are used, nodes also detect when δ < c∆ − 2ν∆ − νc dmax . In general, ν is much
tunneling across obstacles such as mountains that are other- smaller than c. Given sufficient computing power and network
wise impenetrable by radio. As with other cryptographic prim- bandwidth, geographic leashes should be used when δ < c∆,
itives, a malicious receiver can refuse to check the leash, just and temporal leashes should be used when δ ≥ c∆.
Radio Frequency (RF) watermarking is another possible In this paper, we have introduced the wormhole attack, a
approach to providing the security described in this paper. powerful attack that can have serious consequences on many
Since we are aware of no published specific details, it is proposed ad hoc network routing protocols; the wormhole
difficult to assess its security. If the radio hardware is kept attack may also be exploited in other types of networks and
secret, such as through tamper-resistant modules, some level of applications, such as wireless access control systems based on
security can be provided against compromised nodes; however, physical proximity. To detect and defend against the wormhole
if the radio band in which communications are taking place is attack, we introduced packet leashes, which may be either
known, then an attacker can attempt to tunnel the entire signal geographic or temporal leashes, to restrict the maximum trans-
from one location to another. mission distance of a packet. Finally, to implement temporal
leashes, we presented the design and performance analysis of
It may be possible to modify existing intrusion detection ap-
a novel, efficient protocol, called TIK, which also provides
proaches to detect a wormhole attacker; since the packets sent
instant authentication of received packets.
by the wormhole are identical to the packets sent by legitimate
TIK requires just n public keys in a network with n
nodes, such detection would more easily be achieved jointly
nodes, and has relatively modest storage, per packet size,
with hardware able to specify some sort of direction of arrival
information for received packets. To the best of our knowledge, and computation overheads. In particular, a node needs to
perform only between 3 and 6 hash function evaluations
no work has been published regarding the possibility of using
per time interval to maintain up-to-date key information for
intrusion detection systems specifically to detect wormhole
attackers. itself, and roughly 30 hash functions for each received packet.
With commodity hardware such as 11 Mbps wireless links,
Brands and Chaum [7] propose a three-way handshake
TIK has computational and memory requirements that are
which bounds the distance between a node and a verifier by
easily satisfiable today; 2.6 megabytes for hash tree storage
measuring the round trip time between them. Our technique
represents, for example, less than 3% of the standard memory
is able to detect wormholes with only a single message, and
on an Compaq iPaq 3870 with no external memory cards,
reuqires corrections for clock skew between the sender and
and since the StrongARM CPU on the iPaq is capable of
performing 222,000 symmetric cryptographic operations per
TESLA generally chooses longer time intervals than TIK
second, TIK imposes no more than an 18% load on CPU time,
does, in order to reduce the amount of computation needed to
even when flooded with packets at the maximum speed of the
authenticate a new key. As a result, TESLA is capable of func-
wireless network, and normally uses less CPU load than that
tioning with much looser time synchronization than is required
in normal operation.
by TIK. Given a sufficient level of time synchronization, TIK
When used in conjunction with precise timestamps and tight
provides an advantage over hop-by-hop authentication with
clock synchronization, TIK can prevent wormhole attacks that
TESLA, with respect to latency and packet overhead, but
cause the signal to travel a distance longer than the nominal
it suffers with respect to byte overhead. In particular, since
range of the radio, or any other range that might be specified.
TIK key disclosure always occurs in the same packet as the
Sufficiently tight clock synchronization can be achieved in a
data protected, packets can be verified instantly; with TESLA,
wireless LAN using commercial GPS receivers [44], and wire-
on the other hand, packets must wait, on average 1.5 time
less MAN technology could be sufficiently time-synchronized
intervals, which is especially significant when packets are
using either GPS or LORAN-C [30] radio signals.
authenticated hop-by-hop, as may be required in a multi-hop
A MAC layer protocol using TIK efficiently protects against
ad hoc network routing protocol.
replay, spoofing, and wormhole attacks, and ensures strong
The IEEE 802.11i Task Group is designing modifications freshness. TIK is implementable with current technologies,
to IEEE 802.11 [20] to improve security. These modifications and does not require significant additional processing overhead
generally use a single shared key, or, when multiple keys are at the MAC layer, since the authentication of each packet can
used, the keys are used between multiple clients and a single be performed on the host CPU.
base station. Since base stations are not present in ad hoc Our geographic leashes are less efficient than temporal
networks, and since a single shared key does not prevent any leashes, since they require broadcast authentication, but they
attacks launched from a compromised node, these proposals can be used in networks where precise time synchronization
do not sufficiently address authentication for ad hoc network is not easily achievable. The dominant factor in the usability
routing. Furthermore, none of the current proposals within of geographic leashes is the ability to accurately measure
IEEE 802.11i address the wormhole attack. location; because node movement is very slow relative to the
Other Medium Access Control protocols also specify pri- speed of light, the effects of reduced time synchronization
vacy and authenticity mechanisms. These mechanisms typ- accuracy are slight.
ically use one or more shared keys, allowing compromised
nodes to forge packets. Furthermore, to the best of our knowl- R EFERENCES
edge, none of these mechanisms protect against wormhole [1] Norman Abramson. The ALOHA System—Another Alternative for
attacks. Computer Communications. In Proceedings of the Fall 1970 AFIPS
Computer Conference, pages 281–285, November 1970. Ad Hoc Networking, edited by Charles E. Perkins, chapter 5, pages 139–
[2] Agere Systems Inc. Specification sheet for ORiNOCO World PC Card. 172. Addison-Wesley, 2001.
Allentown, PA. Available at ftp://ftp.orinocowireless. [22] J. M. Kahn, R. H. Katz, and K. S. J. Pister. Next Century Challenges:
com/pub/docs/ORINOCO/BROCHURES/US/World%20PC Mobile Networking for Smart Dust. In Proceedings of the Fifth
%20Card%20US.pdf. Annual International Conference on Mobile Computing and Networking
[3] ARC International. ARC releases BlueForm, a comprehensive so- (MobiCom’99), pages 271–278, August 1999.
lution for Bluetooth systems on a chip. Press Release 6-04-01, [23] Dean Kawaguchi and Sarosh Vesuna. Symbol Technologies, Inc.
Elstree, United Kingdom. Available at http://www.arccores. Automates System-To-Gates Design Flow For Wireless LAN ASIC
com/newsevents/PR/6-04-01-2.htm, June 4 2001. with COSSAP and Behavioral Compiler. Mountain View, California.
[4] Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Keying Hash Functions Available at http://www.synopsys.com/news/pubs/bctb/
for Message Authentication. In Advances in Cryptology – CRYPTO ’96, sep98/frame_art1.html, September 1998.
edited by Neal Koblitz, volume 1109 of Lecture Notes in Computer [24] Tim Kindberg, Kan Zhang, and Narendar Shankar. Context Au-
Science, pages 1–15. Springer-Verlag, Berlin Germany, 1996. thentication Using Constrained Channels. In Proceedings of the
[5] Bhargav Bellur and Richard G. Ogier. A Reliable, Efficient Topology Fourth IEEE Workshop on Mobile Computing Systems and Applications
Broadcast Protocol for Dynamic Networks. In Proceedings of the (WMCSA 2002), pages 14–21, June 2002.
Eighteenth Annual Joint Conference of the IEEE Computer and Com- [25] Jiejun Konh, Petros Zerfos, Haiyun Luo, Songwu Lu, and Lixia Zhang.
munications Societies (INFOCOM’99), pages 178–186, March 1999. Providing Robust and Ubiquitous Security Support for Mobile Ad-Hoc
[6] Matt Bishop. A Security Analysis of the NTP Protocol Version 2. Networks. In Proceedings of the Ninth International Conference on
In Proceedings of the Sixth Annual Computer Security Applications Network Protocols (ICNP 2001), pages 251–260, November 2001.
Conference, November 1990. [26] Leslie Lamport. Password Authentication with Insecure Communication.
[7] Stefan Brands and David Chaum. Distance-Bounding Protocols. In Communications of the ACM, 24(11):770–772, November 1981.
Workshop on the theory and application of cryptographic techniques on [27] Arjen K. Lenstra and Eric R. Verheul. Selecting Cryptographic Key
Advances in cryptology (CRYPTO 1994), volume 839 of Lecture Notes Sizes. Journal of Cryptology: The Journal of the International As-
in Computer Science, pages 344–359. Springer-Verlag, August 1994. sociation for Cryptologic Research, 14(4):255–293, September 2001.
[8] Michael Brown, Donny Cheung, Darrel Hankerson, Julio Lopez Hernan- Available at http://www.cryptosavvy.com/.
dez, Michael Kirkup, and Alfred Menezes. PGP in Constrained Wireless [28] A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied
Devices. In Proceedings of the 9th USENIX Security Symposium, pages Cryptography. CRC Press Series on Discrete Mathematics and its
247–262, August 2000. Applications. CRC Press, 1997.
[9] Ran Canetti, Juan Garay, Gene Itkis, Daniele Micciancio, Moni Naor, [29] Ralph Merkle. Protocols for Public Key Cryptosystems. In Proceedings
and Benny Pinkas. Multicast Security: A Taxonomy and Some of the IEEE Symposium on Research in Security and Privacy, pages
Efficient Constructions. In Proceedings of the Eighteenth Annual 122–136, April 1980.
Joint Conference of the IEEE Computer and Communications Societies [30] David L. Mills. A Computer-Controlled LORAN-C Receiver for Pre-
(INFOCOM’99), pages 708–716, March 1999. cision Timekeeping. Technical Report 92-3-1, Department of Electrical
[10] Tom Clark. Tom Clark’s Totally Accurate Clock FTP Site. Green- and Computer Engineering, University of Delaware, Newark, DE, March
belt, Maryland. Available at ftp://aleph.gsfc.nasa.gov/ 1992.
GPS/totally.accurate.clock/. [31] David L. Mills. A Precision Radio Clock for WWV Transmissions.
[11] Mark Corner and Brian Noble. Zero-Interaction Authentication. In Technical Report 97-8-1, Department of Electrical and Computer Engi-
Proceedings of the Eighth Annual International Conference on Mobile neering, University of Delaware, Newark, DE, August 1997.
Computing and Networking (MobiCom 2002), pages 1–11, September [32] Charles E. Perkins and Pravin Bhagwat. Highly Dynamic Destination-
2002. Sequenced Distance-Vector Routing (DSDV) for Mobile Computers.
[12] Defense Advanced Research Projects Agency. Frequently Asked Ques- In Proceedings of the SIGCOMM’94 Conference on Communications
tions v4 for BAA 01-01, FCS Communications Technology. Washing- Architectures, Protocols and Applications, pages 234–244, August 1994.
ton, DC. Available at http://www.darpa.mil/ato/solicit/ [33] Charles E. Perkins and Elizabeth M. Royer. Ad-Hoc On-Demand
baa01_01faqv4.doc, October 2000. Distance Vector Routing. In Proceedings of the Second IEEE Workshop
[13] Y. Desmedt. Major Security Problems with the “Unforgeable” (Feige- on Mobile Computing Systems and Applications (WMCSA’99), pages
)Fiat-Shamir Proofs of Identity and How to Overcome Them. In 90–100, February 1999.
Proceedings of the 6th worldwide computer congress on computer and [34] Adrian Perrig, Ran Canetti, Doug Tygar, and Dawn Song. Efficient
communications security and protection (SecuriCom 88), pages 147– Authentication and Signature of Multicast Streams over Lossy Channels.
159, March 1998. In Proceedings of the IEEE Symposium on Research in Security and
[14] Eran Gabber and Avishai Wool. How to Prove Where You Are. In Pro- Privacy, pages 56–73, May 2000.
ceedings of the 5th ACM Conference on Computer and communications [35] Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, and J. D.
Security, pages 142–149, November 1998. Tygar. SPINS: Security Protocols for Sensor Networks. In Proceedings
[15] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to Construct of the Seventh Annual Annual International Conference on Mobile
Random Functions. Journal of the ACM, 33(4):792–807, October 1986. Computing and Networks (MobiCom 2001), pages 189–199, July 2001.
[16] Shafi Goldwasser and Mihir Bellare. Lecture Notes on Cryptography. [36] Raymond L. Pickholtz, Donald L. Schilling, and Laurence B. Milstein.
Summer Course “Cryptography and Computer Security” at MIT, 1996– Theory of Spread Spectrum Communications — A Tutorial. IEEE
1999, August 1999. Transactions on Communications, 30(5):855–884, May 1982.
[17] Neil M. Haller. The S/KEY One-time Password System. In Proceedings [37] Proxim, Inc. Data sheet for Proxim Harmony 802.11a
of the 1994 Symposium on Network and Distributed Systems Security, CardBus Card. Sunnyvale, CA. Available at http://
edited by Dan Nesset and Robj Shirey, pages 151–157, February 1994. www.proxim.com/products/all/harmony/docs/ds/
[18] Helion Technology Ltd. High Performance Solutions in Silicon harmony_11a_cardbus.pdf.
— MD5 Core. Cambridge, England. Available at http://www. [38] Amir Qayyum, Laurent Viennot, and Anis Laouiti. Multipoint Relaying:
heliontech.com/core5.htm. An Efficient Technique for flooding in Mobile Wireless Networks. Tech-
[19] Jean-Pierre Hubaux, Levente Buttyán, and Srdjan Čapkun. The Quest nical Report Research Report RR-3898, Project HIPERCOM, INRIA,
for Security in Mobile Ad Hoc Networks. In Proceedings of the February 2000.
2001 ACM Symposium on Mobile Ad Hoc Networking and Computing [39] Ron L. Rivest, Adi Shamir, and Leonard M. Adleman. A Method for
(MobiHoc 2001), pages 146–155, October 2001. Obtaining Digital Signatures and Public-Key Cryptosystems. Commu-
[20] IEEE Computer Society LAN MAN Standards Committee. Wire- nications of the ACM, 21(2):120–126, February 1978.
less LAN Medium Access Control (MAC) and Physical Layer (PHY) [40] Claus P. Schnorr. Efficient Signature Generation by Smart Cards.
Specifications, IEEE Std 802.11-1997. The Institute of Electrical and Journal of Cryptology, 4(3):161–174, 1991.
Electronics Engineers, New York, New York, 1997. [41] Karen E. Sirois and Stephen T. Kent. Securing the Nimrod Routing
[21] David B. Johnson, David A. Maltz, and Josh Broch. The Dynamic Architecture. In Proceedings of the 1997 Symposium on Network and
Source Routing Protocol for Multihop Wireless Ad Hoc Networks. In Distributed Systems Security (NDSS’97), pages 74–84, February 1997.
[42] Frank Stajano and Ross Anderson. The Resurrecting Duckling: Security [44] Trimble Navigation Limited. Data Sheet and Specifications for Trimble
Issues for Ad-hoc Wireless Networks. In Security Protocols, 7th Thunderbolt GPS Disciplined Clock. Sunnyvale, California. Available
International Workshop, edited by B. Christianson, B. Crispo, and at http://www.trimble.com/thunderbolt.html.
M. Roe. Springer-Verlag, Berlin Germany, 1999. [45] Alec Woo. CS294-8 Deeply Networked Systems Mote Documentation
[43] Joseph D. Touch. Performance Analysis of MD5. In Proceedings of and Development Information. Berkeley, CA. Available at http://
the ACM SIGCOMM ’95 Conference on Applications, Technologies, www.cs.berkeley.edu/˜awoo/smartdust/.
Architectures, and Protocols for Computer Communication, pages 77– [46] Lidong Zhou and Zygmunt J. Haas. Securing Ad Hoc Networks. IEEE
86, August 1995. Network Magazine, 13(6):24–30, November/December 1999.